from the MS-US-Internet-Explorer-10,-now-available-for-download! dept

Microsoft has painted a picture that its relationship with the NSA and FBI isn't a cozy one, but one based on forced compliance. The company has recently been taking shots at Google with its "Scroogled" campaign, claiming it kept users' data more secure. Then news surfaced that Microsoft was providing intelligence agencies with zero-day exploits for deployment by the agencies before getting around to patching them, leading to questions as to its expressed concern for its customers.

Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.

The documents show that:

• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;

• The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;

• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;

• Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases;

• Skype, which was bought by Microsoft in October 2011, worked with intelligence agencies last year to allow Prism to collect video of conversations as well as audio;

• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a "team sport".

This damaging set of documents indicates that Microsoft talks a pretty good game when it comes to privacy, but the protection it actually offers is less than skin deep.

Microsoft's latest marketing campaign, launched in April, emphasizes its commitment to privacy with the slogan: "Your privacy is our priority."

Microsoft has responded to this leak with a statement claiming its actions are above-board and completely legal. The NSA released a statement as well, claiming, as Microsoft does, that everything detailed is fully compliant with applicable laws. As usual, the NSA statement makes reference to "strict oversight" and "careful monitoring," empty phrases its deployed before that are ultimately meaningless without any corresponding transparency.

Again, speaking to the "legality" of these actions is nothing more than self-serving rhetoric. As has been expressed before, the real scandal isn't that large-scale surveillance is happening. It's that it's legal. Secret courts issuing secret interpretations that companies like Microsoft are compelled to comply with. Microsoft may say it "rejects" demands that it doesn't deem "valid," but does anyone not think these rejections aren't simply overridden?

There are ways to comply with government requests which don't take the form of working closely with intelligence agencies to undercut the same privacy you're telling the public you're so interested in protecting. (Maybe ask Twitter for some advice...) Giving intelligence carte blanche access to data pre-encryption doesn't sound like the actions of a company that regularly challenges government requests. It sounds more like the compliance of a company who'd rather not jeopardize OS sales and support to one of its biggest customers.

Untrustworthy...

It seems that just about everyone involved in transmitting data, has been eagerly handing it to the NSA. It goes without saying that M$ is a conniving, crooked, dishonest and untrustworthy sack of sh*t, however is there nobody out there to trust anymore? Do I need to move to another country? Or would it not even make a difference?

At least according to orig article there's massive (secret) oversight and accountability to (secret) courts.

The reason we have laws is that people who "can", "do". If they can spy, they will. If they can railroad a person and take their property, they will. We can't really stop people from going on like this, but we can keep it illegal so there is some slice of hope for justice down the road for victims of those who "did".

I'm just hoping that after all this we the sheeple don't make this crap legal.

Wow. Very few countries or citizens will be willing to run MS Spyware Software (MSSS) after this.

If anyone has stock in Microsoft, consider selling it ASAP before the bottom completely falls out. It's already been falling out with Win8 and flopRT, but these new revelations make MS's bottom look like it's made out of wet cardboard.

Might have jumped the gun a bit there...

Going on the attack against other companies, talking about how 'serious' you take customer privacy, only to have it revealed that you're only serious until someone asks for customer info, in which case you do everything in your power to help them get it... yeah, just kinda screwed up the PR efforts there.

On the other had, this does offer one heck of a PR chance for those other companies... 'Yes we may be forced to hand over customer data when ordered to by the government, but unlike companies like Microsoft, we don't go out of our way to assist in the collection of your personal data.'

(Semi-related tangent)
Honestly, with how close MS is proving to be with various government agencies, and the Xbone's mandatory, always on camera, I can only assume that anyone still planning on buying it is obsessed with the few games listed for the system, and/or is simply has no clue as to the MS/government connections.

Re:

And advertising-centric companies (Google, now Microsoft as well), love that they can force you to view ads or mine your data for marketing content whenever you use their services.

What we really need are more free, convenient, "do it yourself" cloud devices. I know several linux-based solutions already exist that you can run from home, or from your own hosted server, but they don't easily integrate with all devices like dropbox, google drive, or skydrive would.

Re: Untrustworthy...

is there nobody out there to trust anymore

There never was and there never will be. It's one of the main reasons why you should not allow any third party to hold or transfer data that you don't want anyone else to see -- that rule has always been true, and in these days of the cloud fad, it's even more important to keep this in mind.

For best results, minimize the amount of data stored by third parties, and encrypt everything.

"• Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases; "

That may explain why I spent 20 minutes of reading web posts and clicking all over the outlook.com to try and figure out how to setup a quick email alias. I gave up and set it up on one of my gmail accounts.

I can only assume that anyone still planning on buying it is obsessed with the few games listed for the system, and/or is simply has no clue as to the MS/government connections.

While I don't think the camera on the XBox is as big of a problem as it's made out to be, the close and cozy relationship between Microsoft and various TLA intelligence agencies goes way back and has been common knowledge for decades, at least in the software industry.

outlook?

It's that it's legal. Secret courts issuing secret interpretations that companies like Microsoft are compelled to comply with. Microsoft may say it "rejects" demands that it doesn't deem "valid," but does anyone not think these rejections aren't simply overridden?

If a law is unknown it is not law. It is simply a codification of the practices of dictatorship.

I know people like to play mental tricks to self-justify and pat themselves on the back... but really... secret laws? What the hell good is a secret law to anyone.

There are no secret laws. Who is beholden to a secret law? The law is only good for the people with access to and protection under it.

Law is our set of guidelines by which we can run a maintain society... agreed upon social norms that we set as standard expectations so that we can more peacefully get along in commerce and fellowship.

A "secret law" is an oxymoron if there ever was one.

Secret rules are only set to let secret men feel secure about doing awful things to lawful citizens.

Re:

Absolutely NOTHING in the cloud can be trusted. If the data is not on machines controlled by you (sitting on your desk) its almost certainly being passed around without your consent. And that so say nothing of spyware...

There is a cyber-pearl harbor going on right now, its just that this "cyber-war" is being waged by the government against the people, not the other way around. Our privacy and security have already been sunk, and our civil liberties are burning and down by the head.

Nonetheless, I hope all they have done is to awaken a sleeping giant and fill him with a terrible resolve...

Re: Re: Re: Untrustworthy...

"And furthermore - should you trust proprietary, closed-source software written by a third party?"

You raise an interesting question because with third partry closed-source software you can not review the code for any back doors. With open-source software, you can review the code for back doors and it would be harder to hide a back door in the code. The issue is how much do you or I trust the specific vendor of the closed-source software. The openness of open-source software is inherently more trustworthy because the developers are not deliberating hiding anything.

I wonder long-term how the NSA spying scandle will affect Windows or MS Office in particular if customers decide enmass MS can not be trusted.

All commercial transactions rely heavily on the buyer believing then can trust the vendor and manufacturer (if different). Contracts are often used to codify and clarify the relationship but do not remove the element of trust.

Oddly it may be in MS' long-term best interests to consdier making their products open-source.

Re: Re: Re: Untrustworthy...

Ha

I find it hilarious every time someone calls Stallman a "conspiracy theorist".

Stallman is probably the one person in the world who is fighting for your freedom to use a computer. He takes such ridiculous precautions when using his computer because he knows more than anyone that every last byte of info that's being transmitted is being used against him. We're only now finding that out nearly twenty years after he realized it.

All I'm saying is: Branding people as "Conspiracy theorists" without taking the time to understand what it is they are saying is the move of a sheep. "Four legs good, two legs bad" and all that. I find it unreal that people are still calling him that when it has been revealed that he was right all along.

Re:

Linux, the kernel, is audited all the time. I'm pretty sure SELinux has had complete teardowns more than a few times because literally no one trusted them when they first announced they were releasing open source software.

The thing to worry about isn't the integrity of the kernel, it's all the damn packages that every user feels they "need to have" in order to run a computer. All the driver blobs, and packages that aren't found on repositories, or extensions that are seemingly made out of thin-air? Those are the things that need constant, 100% scrutiny.

It makes far more sense for the NSA to let the user bug themselves than it is for them to attempt to infiltrate a close-knit group of some of the best programmers in the world. It's why Facebook is so popular.

Re:

Re: Re: Re: Re: Untrustworthy...

"I wonder long-term how the NSA spying scandle will affect Windows or MS Office in particular if customers decide enmass MS can not be trusted."

In all likelihood, not at all. Their biggest customers are the government, if anything this makes them even more likely to buy.

And for the sheeple? They just keep using Windows, because its easy. Linux is still very hard to work with, often requiring knowledge of the command line to do even basic tasks. And although, most games work on Linux (with wine), they often don't work well, that's the only reason I still dual boot...

And Apple, well, lets just say that hamfisted control over everything has been their game from day one. I'm sure they willingly hand over every byte of data to the NSA, after scrutinizing it carefully themselves of course.

Re: Re:

Sorry but open to inspection means SFA until the code is audited and verified.
Some coder alleged to have inserted backdoors into OpenBSD at the behest of the FBI, the devs went over their code with a fine-toothed comb to prove it was clean.
A similar approach from the Linux devs certainly wouldn't go amiss.

Re: Re:

This doesn't change the fact that a 'secret law' does not exist in a society of Rule of Law; only in dictatorships. If I recall correctly.. that's not (or was not) supposed to be how we run things here.

Re: Re: Re: Re: Re: Untrustworthy...

how do you know a closed-source compiler isn't inserting back doors into any open-source code you compile?

You don't, obviously. However, there's an interesting historical event around this kind of thing that involves open source and should be kept in mind:

Dennis Ritchie, the designer of the first C compilers and one of the authors of the original Unix, had put an administrative backdoor into the OS's login program.

Just in case someone was looking through the source code and found it, he also altered the C compiler itself to check for this and to reinsert the backdoor if the login program was recompiled.

This went completely undetected until he revealed it himself in his acceptance speech when he got a Turing Award.

The lesson: just using open source -- although better than using closed source -- is no panacea for this sort of thing. Stuff can be hidden in open source code such that it's hard to find (if, indeed anyone looks).

Everyone is missing the bigger story here. Microsoft just admitted they have back doors into the email service of choice for every large corporation out there. This is pretty huge when you consider that companies like the one I work for directly compete with Microsoft's other products. They've actively developed a backdoor into their competitors inbox. Regardless of the reasoning for doing it, that now exists.

Clear Violation of Privacy Policy

Since this seems to be a clear violation of their Privacy Policy can they be sued? Since they say that they are a TRUSTe certified site and this seems to indicate that they have violated that standard should they have their accreditation revoked? Regardless of whether or not what they did was illegal, their violation of their own Privacy policy and the violation of the TRUSTe guidelines seems to indicate that, at the very least, some innovative young lawyer is going to start a class action lawsuit against Microsoft on those grounds. I hope the John Steele fiasco is over by then because there are only so many court cases that I can keep track of.

Worst fears realized

About 2 years ago, when MS stated that they would be buying Skype, that was the end of the road for me and that program.

I'd heard vague mutterings about the NSA and MS previous to that, and I assumed that they would hand over the keys to their newest acquisition promptly.

I was right, and justified in not again using Skype. I don't do that anymore..because MS can't be trusted, along with all the other big tech companies.

Pretty soon we'll be back to using landlines and coffee cans for communication, and FTP servers to send files.

Yes, indeed, such a secure feeling now, isn't it?

Let's just now assume every single tech company has been co-opted by the NSA, and assume everything is sent to them either voluntarily (most of the time) or involuntarily.

Don't listen to their 'well, we really value your privacy."-with fingers crossed behind their backs. They're laughing at us, you know. We're idiots-we trusted them too much, and all the while they were selling their souls to the US government.

Re: Re:

No...not secretly. Windows keeps all kinds of logs. From cache to history to thumbs.db, it logs everything. Use a good cleaning program like Tracks Eraser Pro or CleanUp!, and you will see many of the logs Windows keeps as the program is cleaning. And you can stop thumbs.db by cleaning it and then checking "Do not cache thumbnails".

Re:

Re: Clear Violation of Privacy Policy

Since this seems to be a clear violation of their Privacy Policy can they be sued?

No, because they didn't violate their privacy policy. Read it -- there's a clause in there about how they will give any or all information in response to legal requests from the government. Nearly all privacy policies include wording along these lines.

Response to: Alana on Jul 11th, 2013 @ 12:34pm

There is a way to circumvent NSA spying completely. Get a VPN tunnel that uses something that is known as perfect forward secrecy (as an example google: "HushTunnel") and run your Internet facing apps through it (web, email, Skype ...)

How to circumvent wiretapping

There is a way to circumvent NSA spying completely. Get a VPN tunnel that uses something that is known as perfect forward secrecy (as an example: "HushTunnel") and run your Internet facing apps through it (web, email, Skype ...)

An uncomfortable thought

Ok, so now we know MS has been working hand in glove with the NSA to intercept data/information/user details.

That much is a bit of a wowser, true.

What if: they went a step further, and MS made a undetectable piece of software that got into all of their security updates for every single registered computer which allows the NSA to directly access the user's computer without detection by the computer user? It wouldn't set off alarms or your AV at all.

Sort of a 'submerged subprogram' that innocently installs as part of the updates that MS is famous for.

Don't tell me it can't be done. We know what they've done so far, and this isn't that far fetched, now, is it?

Paranoid? Perhaps....but one never knows what kind of 'working relationship' the NSA is capable of making with companies do we?

"We'll make you an offer you can't refuse-if you give us all this stuff, your company will never be prosecuted or sued again for whatever you did before."

Re: Might have jumped the gun a bit there...

It's revelations like this that makes those who are paranoid about the XbOne's camera & mike vindicated.

It may be true that the NSA doesn't have access, but this is a "better safe than sorry" circumstance if I ever saw one.

There is such a thing as not being paranoid enough, regarding certain things.

Also, I finally understand the slow roll out of the leaks. It isn't so the Guardian can redact the damaging stuff. It's to give everyone involved enough rope to hang themselves w/!

1. First leak that the NSA is spying, knowing they'll deny it, like they have in the past.
2. Then leak the who they're using, & let them deny that.
3. Then leak the how, w/ proof of who, & see everyone backtrack on the "not" & explain how they're forced to.
4. Then leak that EVERYONE is spied on, & watch the denial wave & excuses come together. This was about where those in Congress in the know started talking about oversight... which appears to also be a lie. Just like the cake.
5. Then leak that all the excuses have been lies so far, & that the "oversight" is a rubber stamp.
6. Now they're starting to leak specifics.

Since it seems to be the thing on Techdirt...
7. ???
8. Profit!?!?!?!?!?

Re:

Currently, click on your name in the upper right corner -> Account settings -> Add or change aliases.

I've set up a few once I worked out how (which was more difficult the first time than it is now).

If the Aliases are posing the NSA some trouble, it sounds like they were actually set up properly; though, your name (the one you click on to get there) is still displayed as your name when someone gets an E-mail from you through the alias, which is kinda stupid. At least I didn't use my real name when creating the account. Anyone who does needs to take lessons on basic online safety.

Yesterday it came to light that the NSA has been collecting millions of emails, chats and skydrive files from us each and every day. Since that news was released, many of you have called support with questions and concerns about this program. To save our time and yours, here are answers to three of the F.A.Q.s we’ve been hearing from you:

*1. Will I be charged extra for this service?*
We're happy to say that the answer is no. While the harvesting and surveillance of your emails, chats and cloud data were not part of your original service contract, we're providing this service entirely free of charge.

*2. If I add email aliases to my account, will those also be monitored?*
Once again, the answer is good news. If you want to add any additional accounts through our service, your emails, chats and other data will all be monitored by the United States government, at no additional cost.

*3. Can Microsoft help me fix Windows crashing issues?*
Unfortunately, no. Our close partnership with NSA to provide exploits / backdoors in our softwares may be responsible for some of the issues you're facing. Infact, we like to think of these as "features", some of which took us months to develop.

I hope we’ve helped clear up some of the confusion about this exciting new program. But if you have any further questions, please don’t hesitate to call support. Your calls may be recorded for "quality" purposes.

Re: An uncomfortable thought

That's not paranoia, they could do something similar with the kernel and you would probably never know. They could even implement a hypervisor (if they haven't already) and there's literally no way any kind of AV system would pick up on it.

Even then, let's be serious here, AV programs get false positives all the time. Any normal user that sees a windows process flagged is going to think "Oh, it just picked up a false positive" and ignore it.

Re: Response to: Alana on Jul 11th, 2013 @ 12:34pm

Not quite sure how this circumvents NSA spying when Microsoft, AT&T, Verizon, and probably others will gladly hand over whatever the NSA wants, and in all likely hood the NSA has gear at the server side to capture the traffic. All this really does is 'secure' your end of the communication and obfuscate the location of your connection. I can do that for free with a number of various methods and services. If they know the account is yours (and they do), and they can capture the data from the server side (and they can) what exactly have you accomplished?

Re:

"While I don't think the camera on the XBox is as big of a problem as it's made out to be..."

Actually it more evidence of Microsoft's untruthfulness. They say you can "turn it off", but the system won't work if Kinect is not plugged in. You'd have to be nuts to actually believe it's truly off given that restriction. If the customer has no need for it to be connected, why does Microsoft?

Re: Re:

Cloud storage is nothing more than data stored and accessed remotely off of a storage device you have no control over. Problem is, anyone can access that data. It's always best to use your own storage devices.

Re: Might have jumped the gun a bit there...

They could make their intentions completely obvious by putting a huge NSA emblem on the box with the caption: "We're WATCHING you!" and people would still be ignorant and purchase it. "Dude, gotta own the new Halo."

Would people pay Microsoft/NSA to set up a camera/mic in their house? Not a chance. Since they can't directly sell the public on the notion of having their privacy violated all day and night, they obfuscate their nefarious intentions by emphasizing all the fun features housed in their spy-box.

If they give the NSA unfettered access to Skype, Hotmail, etc., what makes anyone think that they won't do the same with the Xbox One Kinect? Logic please.

Re:

Yep. CALEA, another law the dumba** American people simply let pass and have stood for. Will the American people ever take responsibility for what they have let their government do? Nah, "The Voice" is on.

Re: xbone kinect

lets all setup servers that send thousands of messages all day ,encrypted of course, and the unencrypted message is randomgibberish of course,or lewd insults ...as well as hi new personreply not nede but very welcome. i means flood the net on port 25 so extensively that theres no point in monitoring, due to the large noise to signal ratio